The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

A couple of security questions

Hi,

I was just doing some reading through threads about security issues and php. There were a few things that I would like clarified..

"As a general rule, always escape any variable which will be used in a query, where the value of the variable was obtained from "outside" e.g. a form post or a cookie - you'll feel generally more relaxed if you do...." - Exactly how do you 'escape' a variable?

Another post mentioned that you should not use quotes around any variables that have numeric values in a query. Does this mean I should be writing

For your first question... they probably meant to error check it. IF the variable should only be numeric, check that. If it should only be alphanumeric, check that. If it cant have any special characters, set that...etc...

with addslashes() if magic_quotes_gpc is Off. otherwise it's already done and you don't need to do anything. of course i recommend my code in the coding tips thread to make sure magic_quotes_gpc is always "Off."

see people, this is why magic_quotes_gpc should never have existed. it messes things up in so many cases when its purpose was to make things "easier." well, it'd be super easy if it didn't exist. you'd tell people one thing that would always work right with no if's and's or but's: use addslashes().

that's not the case however. man i hate PHP sometimes. no other language i've ever heard of does things as stupid as register_globals and magic_quotes.

Originally Posted by coiL

Another post mentioned that you should not use quotes around any variables that have numeric values in a query.

i think that's my signature!

if something is supposed to be numeric, there's no reason to use addslashes(), just type cast it as (int) and it'll make sure it's a number. e.g. for a supposed-to-be-numeric $_GET['id']:

$_GET['id'] = (int) $_GET['id'];
// Now it's safe to use $_GET['id'] in a query

and of course don't put quotes around the value of $_GET['id'] in the query.

- Matt ** Ignore old signature for now... **
Dr.BB - Highly optimized to be 2-3x faster than the "Big 3." "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR